[sf-lug] sf-lug.{org,com} DNS (and whois, etc.)
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Fri Jul 10 04:45:03 PDT 2015
My comments/thanks in-line:
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] sf-lug.{org,com} & Network Solutions / Web.com
> Date: Fri, 10 Jul 2015 00:44:47 -0700
> I did a quick check on the contents of the zonefiles, verifying that all
> nameservers respond, that they give the same answers, that there are no
> stealth or lame nameservers, that all nameservers accept TCP (and not
> just UDP) queries, that the NS list in the served zone matches the NS list
> in the parent zone, that all nameservers are (now) authoritative, that
> none of the nameservers accept recursive queries from the public (which
> is bad security practice), and that the SOA values are reasonable.
Ah, yes, thanks for those additional checks (I'm sure I checked *much*
earlier, but hadn't checked recently).
> For sf-lug.com, the SOA RETRY and REFRESH values are both 3600, which is
> wrong. RETRY needs to be less than or equal to half the REFRESH.`
>
> For sf-lug.org, the SOA EXPIRE value is 604800. RFC1912 suggests a
> value between 1209600 to 2419200.
Nice catch! Yep, I ought get around to adjusting those. Not sure where
those non-optimal values may have snuck in from ... some of them I may
have just carried forward from earlier values in DNS for those zones.
> Those are minor problems at worst (though they should be fixed).
> And....
>
>> So anyway, if you check the WHOIS, all should be well.
>
> ...Small problems also exist in the whois records (which can be fixed
> via the customer login for the domain at NetSol):
>
>
> sf-lug.com
> ----------
>
> Registrant Email: no.valid.email at worldnic.com
> Admin Email: sflug.org at gmail.com
> Tech Email: sflug.org at gmail.com
> Billing Email: (not shown)
>
> 1. It's risky to use non-deliverable e-mail addresses for any of the
> domain contact. Reason: Might not receive crucial mails.
>
> 2. I recommend having the four contacts allocated to at least two
> individuals preferably using different e-mail paths / providers.
> Reason: prevent single point of failure.
>
> 3. I recommend avoiding 'role' e-mail addresses or names that aren't
> visibly each that of a specific individual. Reason: transparency and
> accountability.
>
>
> Registrant Phone: +1.5108830772
> Admin Phone: +1.5108830772
> Tech Phone: +1.5108830772
> Billing Phone: (not shown)
>
> 4. It's better if the displayed domain contacts include at least two
> distinct, real, telephone numbers. Reason: prevent single point of
> failure.
>
> sf-lug.org
> ----------
>
> Registrant Email:no.valid.email at worldnic.com
> Admin Email:sflug.org at gmail.com
> Tech Email:sflug.org at gmail.com
> Billing Email: (not shown)
>
> Registrant Phone: +1.5108830772
> Admin Phone: +1.5108830772
> Tech Phone: +1.5108830772
> Billing Phone: (not shown)
>
> Same comments as for sf-lug.com.
And yes, as always, excellent points. Hopefully we'll get most or all of
that cleaned up and set as it should be (or at least much closer to how
it should be). Also want to be careful to not change *too* much and
trigger any lock period by registrar (e.g. if registrar believes registrant
has changed, they often put a lock on the domain for some set (30? 60?) of
days. Would be preferable to avoid any unnecessary locks, so registrar
transfers can actually get done sooner, rather than later. I also notice
one of the two domains appear to have no such registrar time lock on
it presently :-) ... though one has lock: Status: renewPeriod - so have
wee bit more wait on that one before it can be transferred.
More information about the sf-lug
mailing list